Improved token security

...by adding salt. These token are used in form which act on data to
prevent CSRF attacks.
This closes issue https://github.com/sebsauvage/Shaarli/issues/24

diff --git a/index.php b/index.php
index 4068272c0b84f36f940dde37d95aad217aca1934..0bdb6d83311d02a7e7cf17c912472f6277a9e20a 100644 (file)
--- a/index.php
+++ b/index.php
@@ -576,7 +576,7 @@ if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array();  // Token are atta
 // Returns a token.
 function getToken()
 {
-    $rnd = sha1(uniqid('',true).'_'.mt_rand());  // We generate a random string.
+    $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']);  // We generate a random string.
     $_SESSION['tokens'][$rnd]=1;  // Store it on the server side.
     return $rnd;
 }